By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

must permeate all levels of society or they will never achieve the levels of
security they need to function effectively as a digital society, with a digital economy, and within
an increasingly digital infrastructure.

Current security challengesFirst, let me sum up the information security challenges the security industry faces. Most of
the bad guys, be they nation states or crime syndicates, are well-funded and well aware of the
currently favourable cybercrime risk/reward ratio. In other words, the rewards from cybercriminals
today far outweigh the slim chance they will get caught, and even slimmer chance they will be
convicted and do serious time for their crime. Rounding out the pool of adversaries are hactivists
who are prepared to break the law - and into systems - to advance their cause, and a smattering of
individuals on the fringe of society who hack for fame or kicks.

The bad guys can bypass every
piece of
security technology
by targeting
the real
endpoint: the end-user.

Against these adversaries, enterprises have deployed over the past decade and a half an
impressive array of technology, from hardened operating systems to network firewalls, intrusion
detection systems to application firewalls, antimalware to content filtering. There is also the
growing use of powerful encryption schemes and the secure development lifecycle (SDL) for more
resilient application coding.

The real endpointUnfortunately, one consequence of this massive build-up of security technology is an increased
focus by our adversaries on the least technological aspect of the secure computing ecosystem: the
end user.

Let us consider one end user as an example: Scarlett Johanssen. Due to allegedly compulsive
email hacking by a Florida man, Christopher Chaney, Ms. Johanssen lost control of her email account
and certain personal information therein, including photographs not intended for public
consumption. While embarrassing for Ms. Johanssen and the other victims, this matter might not seem
to be relevant to organised cybercrime and national security. However, consider this: Investigators
believe Chaney "followed celebrities on social media websites to learn certain personal
information, then used that information to hack into their personal files."

If Ms. Johanssen is a typical user of such sites, she will have used the same password,
guessable from shared details of her personal life, for multiple sites. Indeed, a survey last year
by BitDefender revealed 75% of social networking username
and password combinations were identical to those used for email accounts. A survey this year
by ESET revealed that, although 69% of social networking account owners said they were concerned
about security on social networking sites, 33% had never changed their social networking passwords.
Both survey samples were representative of the general population, meaning a large number of
people, some of whom have password-based access to sensitive government or corporate data, have not
been properly educated about why they need to carefully choose and use passwords.

More security awareness tips

I'm sure if you questioned a random sample of people, you would find the vast majority answer
“yes” when asked if they know how to use a computer; few, if any, will give the same answer when
asked if they have had computer security training of any kind.

Consider another example: the October 2011 Sony
breach, which was a "weakest link attack" in which credentials were stolen from an insecure
site and tested against a secure site in the certain knowledge that some people will have the same
credentials on both systems. If more people understood and appreciated the inherent dangers of weak
or multiuse passwords, we could start to reduce the chances of such attacks succeeding. Better
awareness of what not to do with email attachments will reduce the chances of major security
breaches like the one suffered
by RSA earlier this year. Sure, that breach did exploit a zero-day vulnerability, but it took
the unwise opening of an attachment to succeed.

The people who engage in cybercrime know this. Finding zero-day vulnerabilities to exploit may
be getting harder, and thus more costly, but finding out people's passwords is getting easier.
Close to 80% of US and UK households now have Internet access. Many households have more
Internet-enabled devices than people. Yet very few users of these devices, who are being asked for
passwords by a wide array of sites and services, have had any training on even the most basic
security measures. So, despite heroic efforts to develop and deploy endpoint security measures, the
bad guys can bypass every piece of security technology by targeting the real endpoint: the end
user.

Cyber Security Awareness MonthThe big deal about October 2011 in the US is that, although October has been designated as
National Cyber Security Awareness Month, there since 2004, this year the theme of "Our shared
responsibility” helped the event achieve critical mass. There was considerable coverage on local as
well as national news, plus an array of announcements and initiatives from some major industry
players. Google, a company whose future, one might argue, depends upon the general public achieving
some level of confidence in the security of its data, launched the Google Security Center. Firefox
filled its October newsletter with security tips, plus some reminders of the ways Firefox helps
individuals stay
safe online. Also in October, Facebook announced new security tools and reminded users to use existing security features.

Year-round security programmesHowever, as anyone who has conducted information security awareness programmes will admit,
achieving lasting awareness is a year-round proposition. One awareness initiative that caught my
eye this October has embraced that idea, and the parallel perception that achieving security
awareness across all sectors of society and all age groups takes a community effort. Started by
ESET, the Slovakian antimalware vendor, the initiative known as Securing Our eCity has taken on a life of
its own and is starting to spread from San Diego (where ESET has its US headquarters) to other
cities in North America and beyond.

Securing Our eCity is different because it involves a wide range of stakeholders, from schools
to Scouts, law enforcement to city employees, government agencies, hospitals and local companies,
big and small. A year-long schedule of events keeps the awareness going and a squad of trained
instructors, all volunteers, are on hand to deliver awareness presentations to civic groups,
churches, or any organisation that promises 25 or more interested listeners.

A programme like this meets a real and growing need and we need similar initiatives here in the
UK. And it’s not just about passwords. People need to know how to live and work securely online,
why they should destroy storage devices they no longer need, why many pop-up ads are too good to be
true, and why they need to keep their firewall up to date. Recent statistics from the UK government
reveal 21% of Internet users admitted their skills are insufficient to protect their personal data.
Frankly, I reckon many people in the other 79% are over-estimating their skills.

At a recent Securing Our eCity symposium, scores of people took a test, conducted in a simulated
office, in which they had to identify all of the visible security problems. Only a handful got full
marks and most people missed at least half a dozen problems that were in plain sight.

Attacks against users are continually evolving and getting more sophisticated, so we also need
to keep everyone’s security knowledge current. The UK government’s Get Safe Online site is a step in the
right direction. But we need our own FTSE 100 companies, who have a vested interest in maintaining
people’s trust in the Internet, to set up innovative programmes like Securing Our eCity here in the
UK if we are to achieve the levels of security needed to function and prosper as a digital
society.

About the author:Michael Cobb, CISSP-ISSAP is a renowned security author with more than 15 years of experience in
the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that
provides data security services delivering ISO 27001 solutions. He co-authored the book IIS
Security and has written numerous technical articles for leading IT publications. Cobb serves as
SearchSecurity.com’s contributing expert for application and platform security topics, and has been
a featured guest instructor for several of SearchSecurity.com’s Security School lessons.

Email Alerts

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Disclaimer:
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Google is the latest of the tech giants hiring Wall Street hotshots. The CIO lesson? Partner with your CFO if you want to get ahead. Also in Searchlight: Facebook turns Messenger into an ecosystem; Twitter faces a gender bias lawsuit.